[Previous entry: "View privileges"] [Next entry: "Alex Kornbrust has today released 3 new Oracle security advisories"]
Tom talks about direct dictionary editing
April 26th, 2005 by Pete
Post to del.icio.us
Post to Furl
I was reading Tom's blog entry for yesterday last night titled "The Birth of Asktom" and it got me thinking about some of the security aspects of what he had written. As you may have guessed the blog entry discusses the events that lead to Tom creating his AskTom website, one of these was a tip in an edition of oramag that suggested that it was OK to update the data dictionary directly to rename a column in an 8i version. 9i introduced the rename column command. Tom was obviously not impressed with this.
I have also seen posts on newsgroups from time to time that suggest updating the dictionary directly. This is a bad idea. But the reason I was interested in Tom's post is that I have seen it done but for nefarious reasons not just because of trying to get around the lack of a feature. I know that Alex Kornbrusts Company has released a tool (repscan) that detects just this kind of activity, i.e. direct editing of the data dictionary. If you cannot guarantee the integrity of the data dictionary then you are in trouble.
